certificate/sign is fundamentally broken and cannot work as it is with existing sync.next plan

Chris Karlof ckarlof at mozilla.com
Fri Nov 22 15:23:37 PST 2013


This change was reverted on the dev server (https://api-accounts.dev.lcip.org/) and the latest dev sever. 

It should now be emitting certs with principal: { email: <uid>@<server domain> }.

Sorry Nick. The original change was done to support a FxOS sprint and was clearly pushed too hastily. The formatting of the signed certificates will likely change in the future, but will be deployed to dev servers more thoughtfully and in better coordination with the existing verifiers. 

I encourage everyone to follow and participate in the discussion:

https://groups.google.com/forum/#!topic/mozilla.dev.identity/1ecTUrOFzbQ

-chris


On Nov 22, 2013, at 12:30 PM, Nick Alexander <nalexander at mozilla.com> wrote:

> Hello team,
> 
> certificate/sign now returns a Browser ID certificate certifying a public email address [1].  Observe the {"email":"testtestk at ..."} below.  The private key signing the certificate is not the same as the private key of the IdP hosting the email address.  (If there even is a
> Persona-style IdP at the appropriate host.)
> 
> The existing token server rightly rejects such bullshit certificates (and assertions generated from them).  This completely breaks the proposed sync.next plan.
> 
> I am going on PTO for 2 weeks and can't escalate this any further.
> 
> Nick
> 
> [1] long example:
> 
> Assertion from server login was:
> 
> eyJhbGciOiJSUzI1NiJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6IjYxNDg5MzRlODQxNTczOTI0NmE5ODc2ZTc5YjI2YjczNDRkMjAzYzZlNTY2ZTgyMWQwNjgwYjQ4MmYwOGI5MDEzZmNkM2ZjNDA4OTFmMDg1ZDBmY2M1YjU3YmViZWFmOGZiMTg3ZmI2YjNiNGU2NDJhZGIzNDMxZWEyYTM0MmYwNWE4MTg4ZDhjY2ZhY2E3MzliMzcwOTBhMzhhZjdkNDM4ZjRkMmNjY2Q1Njg5M2RjYjA2MWI1MjYwMjc4OWQzMzAwYWNmYWY3ZDM0Mzc4YTdhNGVkYjNmOTM1MzNjYTRkM2M2YmI2ZDYyNjUyYzUwMjM3MWFlNzRhNDk4YzEzZTM3MzQwYTlmYWU1ZGRjZDBkYmUwNTdiMjY1MmM5MWEyMDc0OTcwNmY4ZTI4OWJiYjE4ODMxZDJkYjcwMDEwOGU4OTMxZTBlNWE1ZGYxOGI3NmFlMmQ1MjBhMGQ1YTlkYTc0NWU5YTEzNjgxNDQzMTg4NzRmNDE1OWIzNjM0MGVjNGRjNzdlYTgzNGY3YWVhZWU2YjU3ODJlNzU4NWZkNmZjMTFkYmMzMjMxMmJhNDk4MTE1M2YyYjg1NzkxZWU2YzIxODllNjkzMTVmZWNhN2QwNDQ1NTE0NGZmOTk4Mzc2ZDk2NmQ5OWQyNmVjMTM0ZjlhOTcxNzgwYmFlYTBiOTNlIiwicCI6ImQ2YzRlNTA0NTY5Nzc1NmM3YTMxMmQwMmMyMjg5YzI1ZDQwZjk5NTQyNjFmN2I1ODc2MjE0YjZkZjEwOWM3MzhiNzYyMjZiMTk5YmI3ZTMzZjhmYzdhYzFkY2MzMTZlMWU3Yzc4OTczOTUxYmZjNmZmMmUwMGNjOTg3Y2Q3NmZjZmIwYjhjMDA5NmIwYjQ2MGZmZmFjOTYwY2E0MTM2YzI4ZjRiZmI1ODBkZ
> TQ3Y2Y3ZT
> c5MzRjMzk4NWUzYjNkOTQzYjc3ZjA2ZWYyYWYzYWMzNDk0ZmMzYzZmYzQ5ODEwYTYzODUzODYyYTAyYmIxYzgyNGEwMWI3ZmM2ODhlNDAyODUyN2E1OGFkNThjOWQ1MTI5MjI2NjBkYjVkNTA1YmMyNjNhZjI5M2JjOTNiY2Q2ZDg4NWExNTc1NzlkN2Y1Mjk1MjIzNmRkOWQwNmE0ZmMzYmMyMjQ3ZDIxZjFhNzBmNTg0OGViMDE3NjUxMzUzN2M5ODNmNWEzNjczN2YwMWY4MmI0NDU0NmU4ZTdmMGZhYmM0NTdlM2RlMWQ5YzVkYmE5Njk2NWIxMGEyYTA1ODBiMGFkMGY4ODE3OWUxMDA2NjEwN2ZiNzQzMTRhMDdlNjc0NTg2M2JjNzk3YjcwMDJlYmVjMGIwMDBhOThlYjY5NzQxNDcwOWFjMTdiNDAxIiwicSI6ImIxZTM3MGY2NDcyYzg3NTRjY2Q3NWU5OTY2NmVjOGVmMWZkNzQ4Yjc0OGJiYmMwODUwM2Q4MmNlODA1NWFiM2IiLCJnIjoiOWE4MjY5YWIyZTNiNzMzYTUyNDIxNzlkOGY4ZGRiMTdmZjkzMjk3ZDllYWIwMDM3NmRiMjExYTIyYjE5Yzg1NGRmYTgwMTY2ZGYyMTMyY2JjNTFmYjIyNGIwOTA0YWJiMjJkYTJjN2I3ODUwZjc4MjEyNGNiNTc1YjExNmY0MWVhN2M0ZmM3NWIxZDc3NTI1MjA0Y2Q3YzIzYTE1OTk5MDA0YzIzY2RlYjcyMzU5ZWU3NGU4ODZhMWRkZTc4NTVhZTA1ZmU4NDc0NDdkMGE2ODA1OTAwMmMzODE5YTc1ZGM3ZGNiYjMwZTM5ZWZhYzM2ZTA3ZTJjNDA0YjdjYTk4YjI2M2IyNWZhMzE0YmE5M2MwNjI1NzE4YmQ0ODljZWE2ZDA0YmE0YjBiN2YxNTZlZWI0YzU2YzQ0YjUwZTRmYjViY2U5ZDdhZTBk
> NTViMzc5M
> jI1ZmViMDIxNGEwNGJlZDcyZjMzZTA2NjRkMjkwZTdjODQwZGYzZTJhYmI1ZTQ4MTg5ZmE0ZTkwNjQ2ZjE4NjdkYjI4OWM2NTYwNDc2Nzk5ZjdiZTg0MjBhNmRjMDFkMDc4ZGU0MzdmMjgwZmZmMmQ3ZGRmMTI0OGQ1NmUxYTU0YjkzM2E0MTYyOWQ2YzI1Mjk4M2M1ODc5NTEwNTgwMmQzMGQ3YmNkODE5Y2Y2ZWYifSwicHJpbmNpcGFsIjp7ImVtYWlsIjoidGVzdHRlc3RrQG1vY2tteWlkLmNvbSIsInVpZCI6ImM1Njg0YThjLWVkMGItNDIxMy1iZTgyLTNmODU5NGE0Njc0OSJ9LCJpYXQiOjEzODUxNTA0MjcyODMsImV4cCI6MTM4NTE4MTk2MzI4MywiaXNzIjoiYXBpLWFjY291bnRzLmRldi5sY2lwLm9yZyJ9.as9_EJQlE_JD_kwTKtdrRq4eSh9DW9lyzZlMvD4YsNJNEswbKmG0AUKXYsVUEZ1wY0tAFkelgs7fojKkD52p5bIVu-s-PH6y765qruyQ22JPy5DLBl_by-WAeAQybTHRjJs4LefEeMOYnvFztA2TCXQO1Rzm1dVlmLn5xmsxDoCG-H-IYJFvQgUkmxcSNbAFfF9BiNnxN_-LcMO82BTlh1xzQYGb2bVejE5T7vyOy1kcqWxu83bBgPupnKs9n88JT3_TpKFqkrQe1_lXNmH06OzCBY1nCZEiwLHgTr1Crt3i-WddrUS6WAKEXz9Tcnbhw0v85HXD8uClqPdCxV_MDA~eyJhbGciOiJEUzI1NiJ9.eyJleHAiOjE0MTY2ODY0MjczMzYsImF1ZCI6Imh0dHA6Ly9hdXRoLm9sZHN5bmMuZGV2LmxjaXAub3JnIn0.M5EAfpr3YqxO6vHLyoGwvGENsi9slld1ZpU2POy6QE9J1fgPCgtXY3r_P5x0_qHjd8IvQsvhKD92Z-fz0_
> bAZA
> 
> Corresponds to:
> 
> certificate header:    {"alg":"RS256"}
> certificate payload: {"public-key":{"algorithm":"DS","y":"6148934e8415739246a9876e79b26b7344d203c6e566e821d0680b482f08b9013fcd3fc40891f085d0fcc5b57bebeaf8fb187fb6b3b4e642adb3431ea2a342f05a8188d8ccfaca739b37090a38af7d438f4d2cccd56893dcb061b52602789d3300acfaf7d34378a7a4edb3f93533ca4d3c6bb6d62652c502371ae74a498c13e37340a9fae5ddcd0dbe057b2652c91a20749706f8e289bbb18831d2db700108e8931e0e5a5df18b76ae2d520a0d5a9da745e9a1368144318874f4159b36340ec4dc77ea834f7aeaee6b5782e7585fd6fc11dbc32312ba4981153f2b85791ee6c2189e69315feca7d04455144ff998376d966d99d26ec134f9a971780baea0b93e","p":"d6c4e5045697756c7a312d02c2289c25d40f9954261f7b5876214b6df109c738b76226b199bb7e33f8fc7ac1dcc316e1e7c78973951bfc6ff2e00cc987cd76fcfb0b8c0096b0b460fffac960ca4136c28f4bfb580de47cf7e7934c3985e3b3d943b77f06ef2af3ac3494fc3c6fc49810a63853862a02bb1c824a01b7fc688e4028527a58ad58c9d512922660db5d505bc263af293bc93bcd6d885a157579d7f52952236dd9d06a4fc3bc2247d21f1a70f5848eb0176513537c983f5a36737f01f82b44546e8e7f0fabc457e3de1d9c5dba96965b10a2a0580b
> 0ad0f8817
> 9e10066107fb74314a07e6745863bc797b7002ebec0b000a98eb697414709ac17b401","q":"b1e370f6472c8754ccd75e99666ec8ef1fd748b748bbbc08503d82ce8055ab3b","g":"9a8269ab2e3b733a5242179d8f8ddb17ff93297d9eab00376db211a22b19c854dfa80166df2132cbc51fb224b0904abb22da2c7b7850f782124cb575b116f41ea7c4fc75b1d77525204cd7c23a15999004c23cdeb72359ee74e886a1dde7855ae05fe847447d0a68059002c3819a75dc7dcbb30e39efac36e07e2c404b7ca98b263b25fa314ba93c0625718bd489cea6d04ba4b0b7f156eeb4c56c44b50e4fb5bce9d7ae0d55b379225feb0214a04bed72f33e0664d290e7c840df3e2abb5e48189fa4e90646f1867db289c6560476799f7be8420a6dc01d078de437f280fff2d7ddf1248d56e1a54b933a41629d6c252983c58795105802d30d7bcd819cf6ef"},"principal":{"email":"testtestk at mockmyid.com","uid":"c5684a8c-ed0b-4213-be82-3f8594a46749"},"iat":1385150427283,"exp":1385181963283,"iss":"api-accounts.dev.lcip.org"}
> certificate signature: 6acf7f10942513f243fe4c132ad76b46ae1e4a1f435bd972cd994cbc3e18b0d24d12cc1b2a61b401429762c554119d70634b401647a582cedfa232a40f9da9e5b215bbeb3e3c7eb2efae6aaeec90db624fcb90cb065fdbcbe5807804326d31d18c9b382de7c478c3989ef173b40d9309740ed51ce6d5d56598b9f9c66b310e8086f87f8860916f4205249b171235b0057c5f4188d9f137ff8b70c3bcd814e5875c7341819bd9b55e8c4e53eefc8ecb591ca96c6ef376c180fba99cab3d9fcf094f7fd3a4a16a92b41ed7f9573661f4e8ecc2058d67099122c0b1e04ebd42aedde2f9675dad44ba5802845f3f537276e1c34bfce475c3f2e0a5a8f742c55fcc0c
> assertion   header:    {"alg":"DS256"}
> assertion   payload: {"exp":1416686427336,"aud":"http://auth.oldsync.dev.lcip.org"}
> assertion   signature: 3391007e9af762ac4eeaf1cbca81b0bc610db22f6c9657756695363cecba404f49d5f80f0a0b57637aff3f9c74fea1e377c22f42cbe1283f7667e7f3d3f6c064
> 
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/dev-fxacct/attachments/20131122/6ea970bd/attachment.html>


More information about the Dev-fxacct mailing list